PATENT ABSTRACTS OF JAPAN 



(1 1 publication number : 2000-1 24952 

(43)Date of publication of application : 28.04.2000 



(51}[ntCL 



H04L 12/56 
G06F 13/00 
H04L 12/46 
H04L 12/28 
H04L 12/26 
H04L 12/66 
H04L 12/54 
H04L 12/58 



(21) Application number : 10-293245 

(22) Date of fifing : 1 5.1 0.1 998 



(71) Applicant : NTT DATA CORP 

(72) Inventor : BABA TATSUYA 

MATSUDA YOSHIYUKl 
FUCHIZAWA HIROTAKA 



(54) METHOD AND SYSTEM FOR TRACKING ELECTRONIC DATA AND RECORDING MEDIUM 

(57)Abstract 

PROBLEM TO BE SOLVED: To provide a data tracking system capable 
of properly specifying the transmission source of eiectronic data to be 
distributed through a network on the side of reception. 
SOLUTION: A data tracking system 1 is constituted by providing plural 

data repeaters 10 chain-connected on the network and a managing , 4 

system 20 equipped with a means for bidirectionally communicating with 
the respective data repeaters 10. Each data repeater 10 analyzes the 
identifier of a low-order layer for carrying electronic data on a network L 
and based on this analyzed result, the preceding device passing the 
electronic data is specified. When the specified device is provided with a 
function equal with the present device, the further preceding another 
device passing the electronic data is specified. Besides, the analyzed 
result of the present device is reported to the managing system 20 
together with prescribed identification information. Based on the 
information reported from the respective data repeaters 10, the 
managing system 20 specifies the distribution route of the relevant 
electronic data. 
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[003 1] The managing system 20 is for managing distribution routes of electronic data 
on the basis of the information reported from sensors in victims' networks or respective 
data repeaters 10, etc., which is realized in a computer system operated under a 
prescribed OS. Besides a communication control structure 21 for performing 
interactive communication between sensors installed in various networks including a 
victim's network and respective data repeaters 10, etc., an attack pattern database 22, an 
unauthorized access transmission source statistic file 23, an unauthorized access status 
statistic file 24, and a registration sensor information file 25, the managing system 20 is 
equipped with at least function blocks of a tracking instruction unit 26, a route 
management unit 27, and a warning unit 28 that can be formed by reading the program 
code recorded in the prescribed recording medium and being cooperatively executed 
with an OS by a CPU in the body of a computer system as shown in Fig. 4,. 
[0032] The attack pattern database 22 is for enabling performance of a uniform 
processing by relating each attack pattern and the code output at the time for each 
sensor by considering, for example, that each attack pattern detected by a sensor of a 
victim's network and the code output at the time of the detection are all different for 
each sensor manufacturer. The severity is also related according to need and when the 
number of output codes is plural, any one of the plural output codes is made to be 
processed preferentially. When a new sensor is used, the identification information of 
the sensor, the attack pattern detected by the sensor, the output code, and the severity, 
etc., are recorded additionally. Fig. 5 is a drawing showing an example of the content 
of the attack pattern database 22. 

[0033] The unauthorized access transmission source statistic file 23 accumulates the 
attack pattern, the time and the date, and the number of times, etc., when an attacker is 
specified; the unauthorized access status statistic file 24 accumulates the number of 
attack patterns detected for each pattern. These files are used when sending warning 
mails, etc. Fig. 6 is a drawing showing the unauthorized access transmission source 
statistic file 23 and Fig. 7 is a drawing showing an example of the content of the 
unauthorized access status statistic file 24. 

[0034] The registration sensor information file 25 registers the type of the used sensor, 
the identifier of the used sensor (the address or the letter string inherent in a vendor), the 
contact information of the administrator, and the address of the data repeater located 
directly above the used sensor (i.e., the tracking start point). Referring to the above 
information, it is possible to know which registration source uses which type of a sensor. 



Fig. 8 is a drawing showing an example of the content of the registration sensor 
information file 25. 

[0035] The tracking instruction unit 26 receives the detected attack pattern from a 
sensor in a victim's network and, simultaneously, specifies the IP address of the 
preceding other data repeater 10 passing data before the sensor on the basis of an 
identifier such as an address of a sensor in the victim's network by referring to the 
registration sensor information file 25 and notifies the specified data repeater 10 of the 
tracking instruction described above. 

[0036] The route management unit 22 manages distribution routes of tracking object 
data passing respective data repeaters 10 on the basis of the notification of the tracking 
result received from a plurality of data repeaters 10 and specifies the transmission 
source and/or the administrator. 

[0037] The warning unit 23 transmits warning mails in the following cases. 

(1) When a notification of an attack is received from a sensor, whether or not there is a 
sensor that does not support the attack pattern of the attack is checked on the basis of 
the attack pattern database 22, and when there is such a sensor, the registration source 
using the sensor is searched for from the sensor information file 25 and a warning mail 
is automatically transmitted to alert the administrator of the attack. 

(2) When the severity specified in the unauthorized access transmission source statistic 
file 23 and the number of times of detections accumulated in the unauthorized access 
status statistic file 24 reach the prescribed value, a warning mail is automatically 
transmitted to the administrator of the sensor in the victim's network. 

(3) A warning mail is transmitted to the administrator of the attacker. The mail address 
of the administrator of the attacker can be specified from the IP address of the 
transmission source device using the reverse resolution function of DNS (Domain Name 
Service) and the WHOIS database. The WHOIS database is a publicly-known 
database in which the IP address, the domain (organization) name, and the 
administrator's address that have been used can be retrieved online using the address 
name and the domain name as keys. 

[0038] It should be noted that the recording medium recording the above program code 
is usually a fixed disk or a semiconductor memory that can be read by a CPU when 
needed; however, it is allowable to use a removable medium such as a flexible disk, a 
hard disk, an optical disk, an optical magnetic disk, a CD-ROM, a DVD, or a magnetic 
tape or an item distributed by being stored in the program code servers, etc., that can be 
accessed by a computer and installed in the above fixed disks when in operation. In 
addition, not only are respective function blocks 26-28 formed by a CPU executing the 



above program code, it is allowable to let the OS perform a portion of the actual 
processing on the basis of the instruction of the program code in order to form 
respective function blocks 26-28 above through this processing. 
[0039] Next, the operational procedures of the data tracking system 1 configured as 
described above is explained specifically according to the route chart shown in Fig. 9. 
Here, assume that the electronic data (and the tracking object data) passing respective 
data repeaters 10 is a packet of a certain size. The sensor in a victim's network notifies 
the management system 20 of the attack pattern and the feature information of the 
packet that should be tracked (Step S101). The management system 20 that received 
the notification transmits the tracking instruction containing the feature information and 
the notification address of the tracking result to the data tracking structure embedded in 
the preceding other data repeater 10 in the victim's network (Step SI 02). 
[0040] The data repeater 10 that received a tracking instruction checks whether or not 
there are a plurality of routes to be tracked in itself and when there are a plurality of 
routes, monitors the packet that matches the feature information passed from the 
management system 20 (Yes in Step S103 and Step S104). When the corresponding 
packet passes, the packet is captured as a tracking object packet, and the interface the 
tracking object packet (Yes in Step S105 and Step S104) has passed is specified. 
[0041] When it is found that the interface was either an Ethernet or a LAN such as 
FDDI, the preceding device is specified by checking the MAC address of the 
transmission source contained in the tracking object packet (Step S108a). When it is 
found that the interface was a frame relay network, the other side's device is specified 
by the DLCI in the data link layer containing the tracking object packet (Step SlQSb). 
When it is found that the interface was an ATM network, the other side's device is 
specified by the VPI/VCI of the cell containing the tracking object packet (Step SI 08c). 
When it is found that the interface was a leased circuit, the step immediately proceeds to 
the next process. 

[0042] After that, the IP address of the specified device is found by referring to the ARP 
table in the data repeater 10 and notifying the management system 20 of this address as 
a tracking result together with the tracking order information of the data repeater 10 
(Step SI 09). When the same data tracking structure as that of the data repeater 10 
exists in the specified device, a tracking instruction containing the feature information 
described above and the tracking order information of the data repeater 10 is transmitted 
to the device (Yes in Step S110 and Step Sill). 

[0043] The above operation is repeated until a data tracking structure becomes 
nonexistent in the specified device (No in Step SI 10). When the data tracking structure 



becomes nonexistent, the process is terminated by notifying the management system 20 
of the analysis result containing that the data repeater 10 is the final data tracking device 
and the IP address specified for the preceding other device. By doing this, it becomes 
possible for the management system 20 to specify the transmission source device of the 
tracking object packet and the adjacent system. It should be noted that when a 
corresponding packet could not have been captured after a certain period of time when 
monitoring a packet, the process is terminated since it is considered that a 
corresponding packet will not be distributed anymore (Yes in Step SI 07). In this case, 
as described above, a notification stating that this is a final data repeater is transmitted 
to the management system 20 with the error. 

[0044] The management system 20 specifies the distribution route of tracking object 
data on the basis of the information reported from respective data repeaters 10, In 
addition, the organization of the system managing the transmission source device is 
specified by using the WHOIS database described above and the other external database, 
etc., on the basis of the information reported from the final data repeater 10 (the data 
repeater 10 reporting that it is the final device), and an warning mail is transmitted 
according to need. 

[0045] As described above, in the data tracking system 1 in the embodiment, a 
transmission source can be precisely identified by analyzing an identifier such as a 
frame in the lower layer even when the IP address of the transmission source is 
suspicious. In addition, it is possible to specify the distribution route the tracking 
object data has passed as well. As a result, the benefit a performer of an unauthorized 
access receives by disguising the IP address of the transmission source will be lost and 
thus the effective prevention of an unauthorized access can be achieved. 
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©MA C7 FbX^F.— OH5©gffl*^S"r5C ttf-p 

[o o 1 8] fiu 7L-- A^^$n§igijm a 

^©7b-A^^ffi^ft§LAN^7b-AUU 
-ffl, ATM|^^Lft^©7~^fpl^©fe©& 
©?\ Bf©^KST*tt#^T?tt:t., %fljg©g«*T* 

r% 3a»t^t«?7-^©^fiig{cjg^t^mx7 

U-AH©1S[J?^1^§ c tic 
^ l^^iBlt^r-^©#IM^^7§ 0 
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9 tCp^$ft§7-^}a»y77At J; C 
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^W^Lfe©tf03T*^5 o 03(a) 
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mi oc yh7-£ (^©^©ffiMgm 

Sfeti^XxA) 7f$5^e-(c, u©r-^^ISgMl 

0 c tm<DT~$^mim 1 0 a , 1 0 b i:©tawa 

tJ;^TlSfl^S3 0^ST§^©?!I (@~ 
©) *SLfeHT?$S B 

[0 0 2 7] B»t^t«TT»^t±, fflfctf'^v h 
ttOfeOTf, 193 (a) {c^2+l5J:5E, «a£7l/ 
-A^©-\-y^3 K ^trl P^7^3 2, ^©at 
40 T-^^3 3AW^tl5J:at&oTl^o C©« 

S3 (b) K^ns«t3fcs %ff#as 

3 0^5II](:f-3i«gll 0 a^LT-ry^- 
*-yKc%fll$tU 7-^^lS»10b, r 

-^(fffiga 1 0 c -ezftZftrnzftrmmv f 

7-^fc?iJMT§ 0 UIv'XrA^ mgzvbv- 
1^11 0 cfc, iiS*t-<#«^7-^©#i!!'Pg^ig 

»sii©s*nft7Fux (ga©7Fux) *^tjii» 
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[0 0 2 8] Oclt C<D&®f$m<D 

0. — Qfu©x-£fp«gfil 0b^1t£?W©T, 

t», r- i o c mn<Dmx*mm7 t - 

[oo2 9] y-'-^mm i o a^mm&mmm 

sl&^©t% g^o%fffeg*3o, $>%wmm 
msommtumm^jbu-^^xmm^c 
ct£%%o zcx\ mmmzwi p7kux* 

§aS/XrA2 0fc31ftI , r5 o COfctOI 20 

a, ^^igflagga 3 o ftwnv'f-zmmft 6 a * 
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[0 0 3 8] £&, ±l27W7A:>-K*£BLfc£ 
7, m-FtVx^, ft^TVX?, C 

d-rom, dvd. muT~y^mm^T^7, 
m->mimmzrixmmu wmic±m®femT 

j7.Zfc'(yxh-}i'$ft%i><DX$>oXi>&.\<\ f 
ft, CPU ^±IB7n ^7in- F^fff S d t lz ± 
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^©7p7^A3-F©»cS^VTOS^si|^ 

77 2 6-2 8£«£tl3£5t;:LTfe&l\ 
[0 0 3 9] ±lH©i5^|i^$tl§x-^ii® 
7XxA 1 ©>Iffi3«, S9^JIM^TJ|{*&<3 

3tt7-r-£ C&ffig»fti,r-?) tf-£7^XW 
^as/Xr A 2 o fcSftT* (X-f77s iod.i 

jp^j-ftwa~>xxA2 otis ^©r^tf^a^ 

^©SJP7 F !^X^fr»g^Mit*7 F 7-7 
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i!bfti:tti, ^n^i$ftiW7 f t ixmuu 

ZLommWry F*«Lft^7*7x-X£#£ 
t§ (XT77S 1 0 5 :Yes, S 1 0 6) „ 
[0 0 4 1] <{y$73:-7jM-V*yK FDD I 

T?/^lfi7C©M A C 7 FbX£KT-otu©g^£ 
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«f£*5 (Xr>v7S 1 0 8 a) 0 -f 7#7i-X#7 
A U UHHffc o ft±§£te, ^OalHsJWt/^ 7 F 
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©fe©tHS©r-^iiWl^St5iI^i, d© 
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1) 0 

[0 0 4 3] CcDiiff^ ff£LfcgWcr-*5E»« 
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tfe-p^So CtltciD, ^fSTC^I P7FUX^§ 
C^^J;§^IE^tO^^<*§fti6, ^FE7^-feX 

[0 0 4 6] ft*, ^>#-*7hJi 

^rf^Lft^, *%^t±, mmmm^mm 

tgftfe©T?^5o *ft, ^T'yF»&^t; w 
50 T-^ ; !-cDfficD^7r77©^a^ItfeJ[Sffl^pI^-t ; 



(9) 



15 



00 4 7] 

mm. 

H3] (a) im&*f«tfc£S¥?T-*0*tm 
b) \$T~m{mmmMwmm* 

Ho 

7] ^E7^X^0f77^©rtM^*L, 



[Ell) 



If m 2000-124952 
16 



1 r-^jg^XrA 

1 0 7-^8§SM 

1 1 f!t^x-#gf^ 

l 2 r-^MfSSP 

1 3 T~$mm 

1 4 mm^M 

1 s s®^ 

2 0 



I->XrA 

2 1 MiMisw 

2 2 
2 3 
2 4 



25 %my*f'mt7 r -( 

2 6 i£8B£j^B 
2 7 

2 8 g£gB 

30 



[02] 




[H5] 



T~ 



1 — r 



_L 



On) 



m% 2 O O 0 - 1 2 4 9 



[03] 

(a) 



IT 



Q:0:e:34:9d:b9f 0:0:a9:8:aB:eO 



^ ^ ^ 

m w 

^ / 

mmwcrm gmmcrm Sfgsawcrtw 

0:D:c:34:9d:b9f 0:0:a9:8:aB:eO 8:0:20:1e:6e:1 



[04] 



1_U 



ttiBBEfl- 

7r-fA 



1^3 



l^ 4 



P 25 



[06] 



[g7] 



mm 






a1 (10 0) 


A1 (2 0) 


1998.10.14 




A2 (5 0) 


1998.10.16 




B3 (3 0) 


1998.10.18 


a2 (BE) 


AZ (3 0) 


1998.10.20 









(11) 



#^2000-124952 



[H9] 



a h 


SSI? 








SI 001 01 


postmaster&a. co. jp 


□□□□□ 




T1 00201 


postmaster^ co. jp 


ooooo 




U1 00301 


postmastaric. co. jp 


©@@@@ 













(5Dint.ci. 7 mmm fi m>k<#*) 

H0 4L 12/66 H0 4L 11/20 101B 

12/54 
12/58 

m)¥ffl% ffl\R F*-M##) 5B089 GAOD HBOZ HB19 JA40 JB16 

^lPrl!Em^Ti3#3^ KA17 KB06 KG05 RG08 

ttx 5? • x-f • 7V ■ x-^rt 5K030 GAll HA06 HA08 HB14 HC01 

HC14 J All LB05 
5K033 CB08 DA14 DB18 EC03 



